This application requires Javascript for optimal performance.

W32/Brontok.Q@mm - Released May 17, 2006 - Last Updated Feb 13, 2009

Alias/es

W32/Rontokbro.gen@MM virus, W32/Brontok-BZ, WORM_RONTKBR.GEN, Worm:Win32/Brontok.L@mm, Win32/Brontok.worm.147456, W32/Brontok.S@mm, Win32/Brontok.Y worm

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Presence of the file %Windows%\eksplorasi.exe.

    • Detailed Analysis


  • It drops the following files:
    • %Windows%\eksplorasi.exe
    • %Windows%\ShellNew\bronstab.exe
    • %Windows%\system32\User's Setting.scr
    • %Windows%\Tasks\At1.job
    • %CurrentUser%\Local Settings\Application Data\Bron.tok-10-12
    • %CurrentUser%\Local Settings\Application Data\csrss.exe
    • %CurrentUser%\Local Settings\Application Data\inetinfo.exe
    • %CurrentUser%\Local Settings\Application Data\ListHost10.txt
    • %CurrentUser%\Local Settings\Application Data\lsass.exe
    • %CurrentUser%\Local Settings\Application Data\services.exe
    • %CurrentUser%\Local Settings\Application Data\smss.exe
    • %CurrentUser%\Local Settings\Application Data\Update.10.Bron.Tok.bin
    • %CurrentUser%\Local Settings\Application Data\winlogon.exe
    • %CurrentUser%\Start Menu\Programs\Startup\Empty.pif
    • %CurrentUser%\Templates\WowTumpeh.com
  • To automatically execute itself during startup, the malware applies the following registry modifications:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      • Tok-Cirrhatus = %CurrentUser%\Local Settings\Application Data\smss.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      • Bron-Spizaetus = %Windows%\ShellNew\bronstab.exe
  • Additionally, it creates a JOB file in the %Windows%\Tasks folder to automatically execute the file %CurrentUser%\Templates\WowTumpeh.com.

  • The malware also applies various means to hide itself and evade suspicion by disabling registry editing, disabling issuance of the command prompt, and changing the folder option to hide the extensions. These are done by creating or modifying the following registry:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
      • DisableRegistryTools = 01
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
      • DisableCMD = 00
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
      • NoFolderOptions = 01
  • It also purges the contents of the Autoexec.bat  file by replacing the contents with the command pause, causing Windows 9X-based systems to pause and await for the user to press a key during boot up.

  • The malware arrives as an attachment to a spammed mail using any of the following attachment filenames:
    • DOC.EXE
    • XLS.EXE
    • PATAH
    • HATI
    • CINTA
    • UNTUKMU
    • DATA-TEMEN
    • RIYANI
    • JANGKARU
    • KANGEN
  • The malware has been noticed to contain its own SMTP engine and fetches the target email address based on the infected hosts address book and may spoof the From  field with the following email addresses:
    • Berita_@kafegaul.com
    • GaulNews_@kafegaul.com
    • Movie_@playboy.com
    • HotNews_@playboy.com
  • The malware may also modify the file %System%\drivers\etc\hosts  to prevent the infected user from accessing various security related sites.

  • The malware has an icon that resembles a Windows folder to appear less conspicuous.

    • Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the 'Allow Push Update' option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.


    Reference: ID - 252742